AI-Driven Security Alert Screening and Alert Fatigue Mitigation in Security Operations Centers: A Survey
Samuel Ndichu, Tao Ban, Seiichi Ozawa, Takeshi Takahashi, Daisuke Inoue
TL;DR
This survey reviews AI-driven methods for alert screening and fatigue mitigation in Security Operations Centers, highlighting gaps in validation, robustness, and generalization, and proposing a research agenda for trustworthy Cognitive Security Operations.
Contribution
It synthesizes 119 studies into a four-stage workflow taxonomy and identifies key gaps and future directions in AI-based security alert management.
Findings
Persistent gaps in operational validation and robustness.
Challenges in cross-environment generalization.
Need for improved evaluation practices.
Abstract
Security alert screening is the downstream task of filtering, prioritizing, correlating, and contextualizing alerts for analyst attention in Security Operations Centers. This survey reviews artificial-intelligence-driven alert screening and alert-fatigue mitigation from 2015 to 2026. We synthesize 119 records, including 87 core studies, into a four-stage workflow taxonomy covering filtering, triage, correlation, and generative augmentation. We find persistent gaps in operational validation, adversarial robustness, cross-environment generalization, and evaluation practice. The survey concludes with a research agenda toward trustworthy Cognitive Security Operations Centers.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.